OneTrust - Risk Workflow Procedure
This step by step guide for Risk Owners provides instructions for how to manage Risks within OneTrust.
Cybersecurity Risks are identified and added to the Risk Register based upon responses in OneTrust Assessments. These Risks may be automatically created during Assessments, manually created, or bulk uploaded from Assessments completed outside of OneTrust. As an assigned Risk Owner, you are responsible for completing all steps associated with Risks you are assigned. Some or all of these steps may be completed in conjunction with a Cybersecurity Risk Analyst. A Risk Analyst's involvement depends upon the type of Assessment being completed. If you have any questions about this Risk Workflow Procedure, please contact the Risk Analyst who performed your Risk Assessment.
The Risk Workflow follows four stages: Identified, Evaluation, Treatment, and Monitoring. Details on each Workflow Stage can be found here: OneTrust - Risk Management Workflow Stages
Upon creation, Risks start in the Identified Stage. Complete the following steps to resolve the identified risk:
- Once a Risk has been identified, ensure all appropriate information has been added in OneTrust, including:
- Deadline: Set deadline for Risk resolution, should be no more than 12 months.
- Description: Should accurately describe the identified risk specfic to where (Division, Department, etc) it was found. The Description may also contain any compensating controls already in place.
- Inherent Risk Level: Auto generated by OneTrust. Leave as is.
- Reminder: How many days before the deadline should an email reminder be sent out.
- Residual Risk Level: Updated level of identified risk considering any compensating controls or extenuating circumstance that may increase risk.
- Risk Approver: Should be assigned to "UW RMC Risk Approver."
- Risk Owners: Individuals responsible for mitigation of the Risk. Includes management whom oversee systems and technologists who work on these systems.
- Source: The Assessment that generated the Risk.
- Hit "Save" at the bottom of the Risk Details screen before advancing.
- After ensuring information has accurately been recorded for the Risk in OneTrust, advance the Risk to the Evaluation stage.
- To advance the stage, click Evaluation in the stage tracker.
- Once in the Evaluation stage, update the following fields on the Risk:
- Target Risk Level: The level to which risk should be reduced. Typically "Very Low" or "Low" (1-5).
- Treatment Plan: Accurate description of the steps to mitigate or remediate the identified Risk.
- Treatment Status: Tracks the progress of the risk treatment (Not Started, In-Progress, Completed).
- During the Evaluation stage, consider the alternatives for resolving the Risk. These include:
- Accepted: For some processes and activities, there is no option but to accept the risk. Of course, these instances should only involve low risk, or repercussions that are easily managed. Some risks might be completely acceptable and require you to take no action at all (a missed deadline on an open-ended project schedule, for instance).
- Avoided: Risk avoidance is actually pretty self-explanatory. If a risk is deemed too high, then you simply avoid the activity that creates the risk. For instance, if flying in an airplane is too risky, you avoid taking the flight in the first place, and completely avoid the risk. Another example would be hiring an individual whose references would not recommend rehiring them — by not hiring them, you avoid the risk that they would not be an asset to your company.
- Reduced: Risk reduction is one of the most crucial steps for processes or activities that cannot be avoided, and where risk cannot be transferred to another party. An example of this would be training your staff on how to identify a phishing email, or on best practices involving login credentials and password hygiene.
- Transfered: In many instances, you can transfer the risk you take to another party. For instance, insurance companies exist for exactly this reason. You can also outsource the process in which the risk is present to another provider, thereby transferring the risk to the outsource provider.
- Once you have determined your approach to the Risk (Accept, Avoid, Reduce, or Transfer) and defined and documented your Treatment Plan, the Risk may be advanced to the Treatment stage.
- To advance the stage, click Treatment in the stage tracker.
- Risks in the Treatment stage are actively being worked on according to the defined Treatment Plan.
- To help track the Risk Treatment work, you can generate Tasks or add Comments to the Risk in OneTrust.
- Tasks can be generated and assigned to staff responsible for particular Risk Treatment steps. These tasks can be as granular as you'd like.
- Comments may be used in a similar fashion as Tasks to document Risk treatment efforts, or may contain records of treatment decisions or changes in approach.
- Once you have implemented your Treatment Plan or have decided to Avoid, Accept, or Transfer the Risk, the Risk may be advanced to the Monitoring stage.
- To advance the stage, click Monitoring in the stage tracker.
- Update the required fields in the pop-up:
- Result: Accepted, Avoided, Reduced, or Transfered
- Residual Risk Level / Score: Based on the chosen Result and corresponding Treatment Plan, this is the remaining risk level. If the Risk was Reduced and you implemented a Treatment Plan, the Residual Risk Level likely decreased to "Very Low" or "Low" (1-5). Likewise, if the Risk was Avoided or Transferred the Residual Risk Level should be lowered. If you Accepted the Risk, the Residual Risk Level should not be changed.
- Comments: Add comments relevant to the Risk Treatment Result.
- Once in the Monitoring stage, it is likely the Risk will no longer require your attention and can be considered resolved. However, if circumstances around the risk change (for example, the Operating System of a system becomes obsolete and is no longer supported) the Risk may be reopened and re-evaluated following the same steps described above.
If you have any questions about this Risk Workflow Procedure, please contact the Risk Analyst who performed your Risk Assessment.